Can a Watch Be a Medical Device?

The Apple Watch 4 includes a sensor that can conduct an electrocardiogram. But what are the risks?

This week's announcement of a new Apple Watch that includes a sensor that can conduct an electrocardiogram spotlights the emergence of consumer apps that appear to cross over into the territory of medical devices, raising potential cybersecurity concerns.

For example, is it theoretically possible that the ECG results from the watch could be intercepted via the internet and then altered to potentially change a diagnosis?

But security experts emphasize that this type of risk must be weighed against the potential life-saving benefits of the new consumer technology. And the Food and Drug Administration says it scrutinized Apple's cybersecurity provisions before approving the marketing of the ECG functionality.

New Watch Functionality

On Wednesday, Apple unveiled the new Apple Watch Series 4 featuring the watchOS 5 operating system that the company says "brings advanced activity and communications features, along with revolutionary health capabilities, including a new accelerometer and gyroscope, which are able to detect hard falls, and an electrical heart rate sensor that can take an electrocardiogram using the new ECG app."

Apple says the FDA granted the ECG app a "De Novo" classification, which means the device is "novel" with no existing classification or predicate device on the market.

A FDA spokeswoman tells Information Security Media Group that the agency's evaluation of the new Apple health products included a cybersecurity review. "Medical devices, like the ECG app, are assessed in accordance with FDA's premarket guidance" for cybersecurity that FDA issued in October 2014," she says.

Apple declined to comment on the security provisions of its latest Apple Watch.

FDA, in response to a recent review by the Department of Health and Human Services' Office of Inspector General, said this week it has efforts underway to ramp up scrutiny of medical device cybersecurity (see FDA to Ramp Up Medical Device Cybersecurity Scrutiny).

New Health Tools

The two new Apple Watch health applications are examples of "a new technological paradigm of digital health tools, like apps, that enable consumers to have more active engagement and access to real-time information about their health and activities," say FDA Commissioner Scott Gottlieb, M.D., and Jeff Shuren, M.D., director of the FDA Center for Devices and Radiological Health, in a joint statement.

"With these advances has come a new swath of companies that are investing in these new opportunities," the joint statement says. "These firms may be new to healthcare products and may not be accustomed to navigating the regulatory landscape that has traditionally surrounded these areas."

The FDA worked closely with Apple as the company developed and tested its new software "which may help millions of users identify health concerns more quickly," the statement notes.

Managing Risks

Indeed, new consumer-oriented health apps bring new opportunities, but also new risks, including cybersecurity challenges.

"The trick is managing that risk," says former healthcare CIO David Finn, executive vice president of strategic innovation at security consultancy CynergisTek.

"The FDA is correct when they say healthcare has been slow to implement disruptive technologies," he says. "And while there always has to be a happy balance, there are some good reasons that healthcare is more risk averse. [Those reasons are ]the impacts of uncontrolled or unmanaged technology on clinical processes, on patient care, on quality and on safety."

Healthcare is moving very rapidly to a consumer-driven model and it will have to innovate faster, he adds. "Faster shouldn't mean less safe; it does mean that healthcare is going to have to take on and manage more risk," he says.

"The biggest risk around all this hyper-connectivity is that the provider doesn't control the device - they don't know its state - is it 'clean' or 'infected'? They don't know how the data was created or what was done to it since creation," Finn says.

"Every time a device connects to another device or to a network that may be in contact with hundreds or hundreds of thousands of other devices, you create a vector to spread not only the things you want to share - an EKG - but also malware or perhaps worse, data that has been corrupted - intentionally or unintentionally."

Risks vs. Benefits

But some patient advocates stress that new medical innovations that give patients a better sense of control and provide more information related to their health offer benefits that potentially outweigh the various risks.

"I have little concern with apps that give consumers more access to their health data. This is the right thing to do if we hope for people to engage and take more responsibility for their health," says Hugo Campos, a patient advocate and chair of the California Precision Medicine Consortium Community Advisory Board.

"The cybersecurity vulnerabilities of a watch that records ECGs is of little concern to me," Campos, who has an implanted cardiac device, tells ISMG. "An intrusion into my email server or cloud drive would be far more worrisome."

In addition, the Apple Watch passively collects heart rhythm data, he notes. "It delivers no therapy to its user. On the other hand, a pacemaker or cardiac implantable defibrillator such as the one I have, are active implants capable of delivering electricity to the heart."

"The real risk lies in connecting our medical devices to the internet of things and failing to include patients in the surveillance of their own devices. That's what we must fix."
—Hugo Campos, patient advocate

And yet, these implanted devices are connected to the internet and patients have no access to their data stream, which is frustrating, he argues. "Unlike with the Apple Watch, a cyber intrusion to a connected cardiac rhythm device such as a pacemaker has the potential of putting a person's life in danger or harm them in a very real way. The real risk lies in connecting our medical devices to the internet of things and failing to include patients in the surveillance of their own devices. That's what we must fix."

Campos would like to see government policies that promote medical innovation, especially those that provide patients with better control and more information about their own health.

"The FDA should stand clear of consumer apps and allow for innovation to take place. In addition, the FDA should change their stance toward medical device makers and only approve devices that find ways to include patients as equal partners in their care by giving them access to all data collected by these devices," he says. "Our health data should never, under any circumstances, be kept from us. Today, medical devices like pacemakers, implantable cardiac defibrillators ... do not share data and reports with patients. And this is absurd."

"A technology giant such as Apple is better prepared to handle cybersecurity than a medical device company, like Medtronic or Abbott, for example," he contends. The recall in August 2017 of hundreds of thousands of Abbott pacemakers due to cybersecurity vulnerabilities impacted more than 465,000 U.S. patients, he notes.

Risk-Based Approach

While some patient advocates, including Campos, are concerned that too much regulatory oversight over consumer health apps could slow innovation, some security experts say FDA must take a risk-based approach when it comes to security issues in a consumer-oriented medical product that could impact patient safety.

"While the technology is different in many ways, security is always about managing risk and creating the best set of controls possible," says Bill Aerts, deputy director of the Archimedes Center for Medical Device Security at the University of Michigan.

"Many of the concerns are the same as with any medical device - connectivity, handling of private information, protection from malicious code and others. The added risk of mobile devices is the ubiquity of the devices," Aerts says - and that means the devices and their apps have greater overall risk exposure.

FDA should speed up its review process, including assessing security risks and controls, and then patients should be made aware of any risks and what needs to be done to mitigate them, he says.

In its Sept. 12 statement regarding the Apple products, FDA notes that with the agency's launch in the summer of 2017 of its Digital Health Innovation Action Plan, it committed to implementing policies, adding expertise, and exploring a software precertification pilot program to bring clarity and efficiency to how the agency regulates digital health products.

"This requires us to take modern, flexible, risk-based approaches to regulation in this area, which we hope will reduce the time and cost of market entry, while ensuring appropriate patient safeguards are in place," FDA says. "We believe this will help encourage more developers -including those who are new to the healthcare space - to translate digital advances into tools that benefit patients."

As part of its digital health innovation action plan, FDA in April proposed a voluntary program for review of "software-as-a-medical-device" products - those "intended to treat, diagnose, cure, mitigate or prevent disease or other conditions." Under the proposal, certain medical device software, including various mobile apps, could potentially skip the agency's much more rigorous premarket approval process for hardware-based medical devices.

"The FDA has just this year issued a working model around developing a software precertification program, Finn notes. "Is it enough? Probably not, but we have to start somewhere, and this is a start.

"This should be an opportunity for Apple and others to come to the FDA's side and build out the working model. Together, they could enhance, improve and make a model that protects us, the patients and consumers, but is still viable and efficient for software developers."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;